[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID



On Tue, Nov 29, 2016 at 01:33:54PM +0100, Raphael Hertzog wrote:
> On Tue, 29 Nov 2016, Roberto C. Sánchez wrote:
> > Hi Raphael,
> > 
> > On Tue, Nov 29, 2016 at 12:14:10PM +0100, Raphael Hertzog wrote:
> > > Hi,
> > > 
> > > On Mon, 28 Nov 2016, Roberto C. Sánchez wrote:
> > > > Quite right:
> > > > http://people.debian.org/~roberto/imagemagick_6.7.7.10-5+deb7u7_6.7.7.10-5+deb7u8.diff
> > > 
> > > Somme comments:
> > > - since we have no git history, it's nice to indicate in each patch what
> > >   CVE it fixes (I like to name the patch according to the CVE it fixes too)
> > >   here, I have to lookup the upstream ticket or commit to find out and in many
> > >   cases, it's no longer possible since the patch refers to a
> > >   trac.imagemagick.org URL which no longer exists and/or the commit does
> > >   not have the CVE number :(
> > 
> > My initial post to the list had a question about how to handle the
> > issues without a CVE ID in the DLA.  The suggestion was to annotate the
> 
> Right, but when I look at
> https://security-tracker.debian.org/tracker/source-package/imagemagick
> most of the issues have CVE numbers assigned. And while you have put
> the CVE numbers in the changelog, they are not in the patches themselves
> (and the patch name is not in the changelog either). So it's currently
> hard to map a patch back to its associated CVE.
> 
> My request is thus to include the CVE number (when applicable) in each
> patch directly, either through the filename or in the description (or
> both, which is what I usually do).
> 
OK.  I missed the part where you said "in each patch."  I can certainly
do that.

> > corresponding Debian bug numbers.  I can do the same for the changelog
> > entries, assuming that it is not a problem that all those bugs will then
> > have closure notices related to this upload.
> 
> No, it's clearly not a problem, on the contrary it will give the BTS a
> more comprehensive view of the fixed versions for each bug.
> 

I will update the changelog accordingly.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


Reply to: